AHS 2|24 - After Microsoft key theft from crash dump - new IT audit topic: IT diagnostic data
It's hard to believe what netzwoche reported on 11 September 2023: A master key from a crash dump was stolen directly from a Microsoft lab in the USA. The hackers from the Chinese Storm-0558 group used this Azure Cloud Signing Key for the Azure Active Directory to attack 25 organisations, including the US government, from May 2023. They captured around 60,000 emails from ten accounts and extensive email address lists of the US authorities.
This hack can happen to all software manufacturers worldwide in the same way. It is a fundamental IT security and data protection risk when customers upload their IT diagnostic data to a manufacturer's support centre as part of problem management. This is because most dumps, logs and traces are gigabytes in size and contain keys, passwords, user IDs, IP addresses, bank and company secrets or even personal data. This sensitive data is freely accessible to the manufacturer and its support staff and developers. Nobody really knows exactly what happens to IT diagnostic data, who accesses it, when it is deleted and what "special utilisation" takes place. If employees' accounts are then compromised by external hackers, they also have direct access to the sensitive data. This is what happened in the Microsoft case.
For the IT audit, this security and data protection gap means a new audit topic for the next audit of IT operations. The aim is to prevent damage to the company. After all, IT diagnostic files are in need of protection. The large volumes of sensitive data should be anonymised before being uploaded to the manufacturer, for example.
This presentation sheds light on the new audit topic of IT diagnostic data for IT audits and IT auditing and provides specific information on the relevant issues in the audit catalogues.